Tracelog (Tracelog.exe) is an event tracing controller that runs in a Command Prompt window. This section describes Tracelog, explains its command syntax, and provides practical examples for its use.

Where can I get Tracelog?

Tracelog (Tracelog.exe) is included when you install the WDK, Visual Studio, and the Windows SDK for desktop apps. For information about downloading the kits, see Windows Hardware Downloads.

Windows Driver Kit (WDK) 8 (installation path)



Windows Driver Kit (WDK) 8.1 (installation path)



Note  The Visual Studio environment variable, %WindowsSdkDir%, represents the path to the Windows kits directory where the kits are installed, for example, C:\Program Files (x86)\Windows Kits\10.

What you can do with Tracelog

You can use Tracelog in a Command Prompt window as an event tracing controller.

Note  To control a trace session you must be a member of the Performance Log Users group or the Administrators group on the computer (Run as administrator).

Tracelog features include:

Tracelog produces an event trace log (.etl) file that contains the trace messages generated by the provider during the trace session. The messages are stored in binary format in the file. To display the trace messages in a readable format, use TraceView or Tracefmt.

Tracelog controls kernel-mode and private (user-mode) trace sessions, and special sessions such as the NT Kernel Logger trace session and the Global Logger trace session.

Tracelog runs on Windows 7 and later versions of Windows.

Many of the features of Tracelog are also available in TraceView, a tool included in the Windows Driver Kit (WDK) that has a graphical user interface in addition to a command-line interface.

In this section